New attacks on Windows' secondary components

PATCH WATCH
New attacks on Windows' secondary components

By Susan Bradley

July's security updates target vulnerabilities in Windows Journal, DirectShow, On-Screen Keyboard and other supporting components. But the bulk of July updates, once again, consists of nonsecurity fixes for all current versions of Office and their associated applications.

With Flash Player, only the Windows 8 editions of IE 10 and IE 11 get their Flash Player updates from Microsoft Updates. On Win7 and lower, IE 10 and IE 11 use the IE Flash Player installer from Adobe, just like everyone else. Starting with Flash Player 14.0.x it is necessary to run the Flash Player uninstaller before running the Flash Player installer to update the Active-X (IE) version. Firefox uses the non-IE Flash Player installer. I don't recall having to do an uninstall before updating for Firefox. Chrome in all versions uses PepperFlash, which is updated automatically with each new release of Chrome, but must be manually extracted and installed for Chromium. Firefox for Linux uses the NPAPI (Netscape Protocol) Flash Player Plugin from Adobe, which has not been version-updated for Linux in some time, resulting in functional and security issues.

As of April 29, 2014, Chrome and Chromium for Linux no longer support the Netscape Protocol (NPAPI) Plugins (the ones Firefox uses). So users MUST use PepperFlash in Linux. (Mac and Windows protocols will be changed over in an upcoming Chrome update.) For Linux users, this may involve a convoluted double-download, in which the Chrome Installer is downloaded, PepperFlash is extracted, and the Pepper Plugin is transferred to the appropriate Chromium areas. Ubuntu will update PepperFlash in a single step, from the Ubuntu Software Centre. So far, as of this posting, PepperFlash for Linux has not been updated to Version 14.0.0.145. Expect this to happen soon Linux users. Windows and Mac users have already seen the update.

Starting with Flash Player 14.0.x it is necessary to run the Flash Player uninstaller before running the Flash Player installer to update the Active-X (IE) version.

I don't know where you got this information, but I have installed Flash Player 14.0.0.125 and 14.0.0.145 for both IE and Firefox on top of the old version for both Windows 7sp1 and 8.1.1. I have never uninstalled any version of Flash.

After installing KB2973201 the Tablet PC Input Panel keyboard can not be moved with a stylus or touch input. It can be moved with a mouse. Of course, this makes the keyboard extremely difficult to use at all in any normal touch or stylus context.

KB2973201 is the Windows Update KB number for an Important rated security vulnerability, MS14-039, which resolves a vulnerability that could allow privilege escalation. This patch was released to the public July 8, 2014.

To be clear, this is not the on-screen keyboard opened in accessibility options (or by searching for OSK). It is the keyboard opened from the "Tablet PC Input Panel" (or by searching Tablet PC Input Panel).

The patch can be uninstalled using the following elevated command line or powershell. Uninstalling brings back the expected behavior of this keyboard after restarting.

wusa /uninstall /kb:2973201

https://community.flexerasoftware.co...oft-KB-2962872
We are actively investigating the incompatibility of many versions of InstallShield with Microsoft's recent security update to IE (KB 2962872). At this point it is not yet fully clear whether the root cause is our existing code or Microsoft's update. Once we identify the root cause, we expect to offer an update to address this issue. Internally we are tracking this issue under number IOJ-1662902. If you ensure that your support engineer adds your report there, we can notify you when new information is available. Alternately you can subscribe to this thread, as I will post further updates here.

None of the currently known workarounds are acceptable long term, but they include:

Uninstalling KB 2962872 (there are reports of cases where this did not help)
Emptying the content of several inline help .htm files (the IDE will still crash on close, but is usable in the mean time)

I don't know where you got this information, but I have installed Flash Player 14.0.0.125 and 14.0.0.145 for both IE and Firefox on top of the old version for both Windows 7sp1 and 8.1.1. I have never uninstalled any version of Flash.

YMMV

This is my experience on only one laptop.

IE 11 on Windows 7 SP1 did not allow the Flash Player plugin installer to run until I ran the Flash Player uninstaller. This was also indicated when a popup came up saying the Flash Player Installer had to stop and that I had to run the Flash Player Uninstaller to get the installer to run. This has happened with all versions of Flash Player for IE 11 on this computer since 14.0.0.x.

I do not know of anything unusual about my installation. I originally got IE 11 through Microsoft Update, and did not remove the previously installed IE10 on this laptop.

The only thing which might possibly be a difference is that I run Avast Free Antivirus on this laptop. Avast does protect certain System Files.

UPDATE: For Linux users (Chrome or Chromium Browsers) -- As of this posting, Google has not posted any intentions to update Pepper Flash for Linux. I don't find any explanation, but for Linux users there appears to be no forthcoming Pepper Flash 14.0.0.145 update. The end of Netscape Protocol Plugins (NPAPI) for Linux Chrome/Chromium users is scheduled for Chrome/Chromium 35, which should be out in a few weeks.

The only thing which might possibly be a difference is that I run Avast Free Antivirus on this laptop. Avast does protect certain System Files.

Avast could indeed be the answer. I also use Avast AV along with Online Armor Firewall, but I always disable them whenever I do any installations. This is so easy by just using the right click on the Tray Icons of each.

Regarding Linux Chromium Pepper Flash player update to version 14.0.0.145:

I found a method which I refined to extract the needed files from the Chrome for Linux Beta rpm installer and get those files where Chromium uses them. Thus, the actual version of pepper Flash in the revised Chromium will advance and provide the security fixes, but the browser when polled (chrome : plugins) will still display version 14.0.0.125 as the current version.

This is false, as when tested at the three Adobe official Flash Player test pages, the version returns as 14.0.0.145. Which is exactly what it is supposed to be.

The extraction process is a bit complex, but not out of the ordinary for experienced Linux users. I posted my find and my Ubuntu specific mods to the Google blog about this Chrome Pepper Flash update: HERE .

At present, this may be the best Linux Chromium users can do. At issue is the Chrome Component Update process, which Chromium for Linux does not participate in at this time under Versions 34 and 35.
Update: My method was incomplete. There's one last cosmetic step to take.

Using any Editor with Root privileges, edit /usr/lib/pepflashplugin-installer/pepflashplayer.sh to read the current version where listed in the file. It only appears once, and it's a short file. Now everything's in sync and up to date.

Chromium now displays in "chrome : plugins" the .145 version number. When tested at the three Adobe Test Pages, the Pepper Flash version was revealed to be the .145 upgrade, just as it should be. All security requirements should now be met, and Chrome itself knows it has had the update

New Update: As of July 16, 2014, my Chromium for Ubuntu Linux got an update for Pepper Flash Plugin through the Ubuntu Updater. So I guess they finally got the Linux Pepper Flash up to date -- fully ten days after the security issue was first revealed. Pretty slow, if you ask me.